diff --git a/README.md b/README.md index 4ef8121751..bfd91bea7a 100644 --- a/README.md +++ b/README.md @@ -161,7 +161,7 @@ public class Example { Fury fury = Fury.builder().withLanguage(Language.JAVA) // Allow to deserialize objects unknown types, more flexible // but may be insecure if the classes contains malicious code. - .requireClassRegistration(false) + .requireClassRegistration(true) .build(); // Registering types can reduce class name serialization overhead, but not mandatory. // If class registration enabled, all custom types must be registered. @@ -173,7 +173,7 @@ public class Example { ThreadSafeFury fury = Fury.builder().withLanguage(Language.JAVA) // Allow to deserialize objects unknown types, more flexible // but may be insecure if the classes contains malicious code. - .requireClassRegistration(false) + .requireClassRegistration(true) .buildThreadSafeFury(); byte[] bytes = fury.serialize(object); System.out.println(fury.deserialize(bytes)); diff --git a/docs/guide/java_object_graph_guide.md b/docs/guide/java_object_graph_guide.md index 387a57a53e..eaabb669cc 100644 --- a/docs/guide/java_object_graph_guide.md +++ b/docs/guide/java_object_graph_guide.md @@ -31,7 +31,7 @@ public class Example { Fury fury = Fury.builder().withLanguage(Language.JAVA) // Allow to deserialize objects unknown types, more flexible // but may be insecure if the classes contains malicious code. - .requireClassRegistration(false) + .requireClassRegistration(true) .build(); // Registering types can reduce class name serialization overhead, but not mandatory. // If class registration enabled, all custom types must be registered. @@ -82,7 +82,7 @@ public class Example { private static final ThreadSafeFury fury = Fury.builder() // Allow to deserialize objects unknown types, more flexible // but may be insecure if the classes contains malicious code. - .requireClassRegistration(false) + .requireClassRegistration(true) .buildThreadSafeFury(); public static void main(String[] args) { @@ -253,7 +253,7 @@ fury.getClassResolver().setClassChecker((classResolver, className) -> className. ```java AllowListChecker checker = new AllowListChecker(AllowListChecker.CheckLevel.STRICT); ThreadSafeFury fury = new ThreadLocalFury(classLoader -> { - Fury f = Fury.builder().requireClassRegistration(false).withClassLoader(classLoader).build(); + Fury f = Fury.builder().requireClassRegistration(true).withClassLoader(classLoader).build(); f.getClassResolver().setClassChecker(checker); checker.addListener(f.getClassResolver()); return f; diff --git a/docs/guide/scala_guide.md b/docs/guide/scala_guide.md index c88fe2e64f..7e70440568 100644 --- a/docs/guide/scala_guide.md +++ b/docs/guide/scala_guide.md @@ -23,15 +23,18 @@ When using fury for scala serialization, you should create fury at least with fo ```scala val fury = Fury.builder() .withScalaOptimizationEnabled(true) - .requireClassRegistration(false) + .requireClassRegistration(true) .withRefTracking(true) .build() ``` -Otherwise if you serialize some scala types such as `collection/Enumeration`, you will need to register some scala internal types: +Depending on the object types you serialize, you may need to register some scala internal types: ```scala fury.register(Class.forName("scala.collection.generic.DefaultSerializationProxy")) fury.register(Class.forName("scala.Enumeration.Val")) ``` +If you want to avoid such registration, you can disable class registration by `FuryBuilder#requireClassRegistration(false)`. +Note that this option allow to deserialize objects unknown types, more flexible but may be insecure if the classes contains malicious code. + And circular references are common in scala, `Reference tracking` should be enabled by `FuryBuilder#withRefTracking(true)`. If you don't enable reference tracking, [StackOverflowError](https://github.com/alipay/fury/issues/1032) may happen for some scala versions when serializing scala Enumeration. Note that fury instance should be shared between multiple serialization, the creation of fury instance is not cheap.